b'        Audit Report\n\n\n\n\nMobile Device Security\n\n\n\n\nA-14-14-14051 | September 2014\n\x0cMEMORANDUM\n\n\nDate:      September 26, 2014                                                 Refer To:\n\nTo:        The Commissioner\nFrom:      Inspector General\nSubject:   Mobile Device Security (A-14-14-14051)\n\n           The attached final report presents the results of our audit. Our objective was to determine\n           whether the Social Security Administration\xe2\x80\x99s mobile device security conformed with Federal\n           standards and business best practices to mitigate unauthorized access to the Agency\xe2\x80\x99s sensitive\n           information.\n\n           If you wish to discuss the final report, please call me or have your staff contact\n           Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n           Attachment\n\x0cMobile Device Security\nA-14-14-14051\n\nSeptember 2014                                                           Office of Audit Report Summary\n\nObjective                                 Our Findings\n\nTo determine whether the Social           We determined that SSA\xe2\x80\x99s security of mobile devices did not\nSecurity Administration\xe2\x80\x99s (SSA)           always conform with Federal standards and business best practices\nmobile device security conformed with     to mitigate unauthorized access to Agency sensitive information.\nFederal standards and business best       Specifically, we found the Agency lacked a comprehensive,\npractices to mitigate unauthorized        consolidated mobile device policy, did not secure all mobile\naccess to the Agency\xe2\x80\x99s sensitive          devices, and provided minimal mobile device security training.\ninformation.\n                                          Our Recommendations\nBackground\n                                          We recommend the Agency:\nWhile mobile devices allow employees\nto work from various locations, their     1. Develop a comprehensive, consolidated mobile device policy.\nmobility makes them susceptible to\nloss and theft. Recent data indicate      2. Develop and apply standard security configurations for all\nthat mobile devices are under                Agency-issued mobile devices.\nincreasing attack by cyber-criminals\n                                          3. Enhance annual information technology security awareness\nexposing them to such risks as theft\n                                             training to remind individuals who use mobile devices of their\nand introduction of malicious software,\n                                             responsibilities, acceptable behavior, and specific risks when\npotentially disclosing sensitive\n                                             using Agency-issued mobile devices.\ninformation.\n                                          The Agency agreed with our recommendations.\nGiven these vulnerabilities, the\nNational Institute of Standards and\nTechnology recommends agencies\nfully secure each mobile device before\nallowing a user to access it. Further,\norganizations should have a mobile\ndevice security policy to define what\ninformation employees can access with\nthese devices.\n\x0cTABLE OF CONTENTS\nObjective ..........................................................................................................................................1\nBackground ......................................................................................................................................1\nResults of Review ............................................................................................................................2\n     Comprehensive, Consolidated Mobile Device Policy ...............................................................3\n     Mobile Device Configuration ....................................................................................................4\n           Blackberry Devices ..............................................................................................................5\n           Non-Blackberry Devices ......................................................................................................5\n     Information Security Awareness Training .................................................................................6\nConclusions ......................................................................................................................................6\nRecommendations ............................................................................................................................7\nAgency Comments ...........................................................................................................................7\nOther Matters ...................................................................................................................................7\nAppendix A \xe2\x80\x93 Scope and Methodology ..................................................................................... A-1\nAppendix B \xe2\x80\x93 Agency Comments .............................................................................................. B-1\nAppendix C \xe2\x80\x93 Major Contributors.............................................................................................. C-1\n\n\n\n\nMobile Device Security (A-14-14-14051)\n\x0cABBREVIATIONS\nCIO                  Chief Information Officer\n\nNIST                 National Institute of Standards and Technology\n\nOIG                  Office of the Inspector General\n\nSP                   Special Publication\n\nSSA                  Social Security Administration\n\n\n\n\nMobile Device Security (A-14-14-14051)\n\x0cOBJECTIVE\nOur objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA) mobile\ndevice security conformed with Federal standards and business best practices to mitigate\nunauthorized access to the Agency\xe2\x80\x99s sensitive information.\n\nBACKGROUND\nMobile devices allow employees to work in various locations. 1 Additionally, mobile devices can\naccess and store large volumes of data. However, the same features that make mobile devices\ndesirable also make them a security challenge. For example, the portable nature of these devices\nmakes them vulnerable to loss or theft. 2 According to recent data, mobile devices are under\nincreasing attack by cyber-criminals. This can expose users and organizations to additional\nrisks, such as theft and malicious software, and potentially disclose sensitive information either\non the device or by allowing someone to use the device to remotely access Agency resources. 3\nIndividuals are using mobile devices for an increasing number of activities and often store\nsensitive data, such as email, calendars, contact information, and passwords. Moreover, mobile\napplications for social networking maintain personal information.\n\nCyber-criminals steal, publicly reveal, or sell personal information extracted from mobile\ndevices. Cyber-criminals also search for information that will improve their chances of social\nengineering. 4 Cyber-criminals can use personal information, such as contact data for friends and\nbusiness associates, as a launching pad to access Agency information or resources. 5\n\nBesides theft, cyber-criminals use malicious software and weaknesses in integrated mobile\ndevice features to gain knowledge or access. 6 According to a global leader in information\n\n\n1\n  For this review, we considered a mobile device to be a device that is handheld; has at least one wireless network\ninterface for network access; has built-in data storage; and uses an operating system that is not a full-fledged desktop\nor laptop operating system. This included smartphones, tablets, and feature cellular telephones. We did not include\nnon-feature cellular telephones, laptops, or portable mass storage devices in our review.\n2\n    According to Symantec, 36 percent of U.S. consumers\xe2\x80\x99 mobile devices was lost or stolen in 2010.\n3\n  According to Symantec, the amount of malicious mobile software continues to rise; there was a 58-percent\nincrease in 2012 compared to 2011; and in 2013, 38 percent of mobile device users had experienced mobile\ncybercrime.\n4\n  Social engineering is a technique to trick people into divulging private information to gain unauthorized access to\ncomputer systems. Cyber-criminals must learn about the user to create a successful attack. They will research and\ncompile email addresses, professional interests, conferences attended, and websites visited. The cyber-criminal\xe2\x80\x99s\ntools are designed to pull as much data as possible on the mobile device.\n5\n  Many people do not think a cyber-criminal would target them because they do not have an important enough\nposition within an organization; however, their actions could help attackers. Cyber-criminals start by targeting low-\nlevel employees, but as the social network grows, the attack can target technical people, security people and even\nexecutives. Lucian Constantin, Fake social media ID duped security-aware IT guys, PCWorld, October 31, 2013.\n6\n    Integrated mobile device features include Bluetooth, camera, Internet access, location services, and text messaging.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                                  1\n\x0csecurity, 50 percent of mobile malicious software created in 2012 attempted to steal information\nor track movements. 7 A cyber-criminal can also infect a mobile device with a virus. Viruses can\nspread from infected desktops and laptops to a mobile device when connected through a\nUniversal Serial Bus (USB) port \xe2\x80\x94 putting the device and any data it contains at risk.\n\nAccording to the National Institute of Standards and Technology (NIST), organizations should\nfully secure each agency-issued mobile device before they allow a user access. 8 Additionally,\nthe Federal Chief Information Officers Council, in conjunction with the Department of\nHomeland Security, recommends agencies have appropriate protection on agency-issued mobile\ndevices. 9\n\nSSA\xe2\x80\x99s Blackberry smartphones access the Agency\xe2\x80\x99s email system and Intranet. Information\nfrom the email system may be stored on the Blackberry devices. Non-Blackberry mobile devices\ncan connect to desktop computers. Users can store Agency data on, and move data from, a\nmobile device by dragging and dropping or by entering the data directly onto the device (for\nexample, using the device\xe2\x80\x99s contacts or notes applications).\n\nTo accomplish our objective, we tested Blackberry and non-Blackberry mobile devices, and we\ninterviewed device owners to determine whether SSA configured their devices appropriately to\nmitigate possible threats. We based our configuration checks on Federal standards and business\nbest practices. 10 See Appendix A for additional information about our scope and methodology.\n\nRESULTS OF REVIEW\nWe determined that SSA\xe2\x80\x99s mobile device security did not always conform with Federal\nstandards and business best practices to mitigate unauthorized access to the Agency\xe2\x80\x99s sensitive\ninformation. 11 SSA did not adequately secure all of its mobile devices, potentially putting\nAgency data at risk. For example, while SSA stated it had mitigating controls to encrypt files\ncopied to a device, we successfully copied a file to a mobile device without encryption\noccurring. We believe this occurred because SSA did not have a comprehensive, consolidated\n\n\n\n7\n    Symantec, Internet Security Threat Report 2013, April 2013, p. 4.\n8\n NIST Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the\nEnterprise, June 2013, p. vii.\n9\n Federal CIO Council and Department of Homeland Security, Mobile Security Reference Architecture,\nMay 23, 2013, p. 32.\n10\n  Federal standards include NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices\nin the Enterprise, issued June 2013; and NIST SP 800-53 Revision 3, Recommended Security Controls for Federal\nInformation Systems and Organizations, issued August 2009. Business best practices include the Chief Information\nOfficers Council\xe2\x80\x99s Government Mobile and Wireless Security Baseline, issued May 2013.\n11\n  For the purposes of this review, we considered the following to be sensitive Agency information: personally\nidentifiable information (of the public and SSA staff), staff contact and location information, technology information\nsuch as login identifications, passwords, and network data.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                              2\n\x0cpolicy on mobile devices, lacked configuration guides for all mobile devices, and provided\nminimal mobile device security training.\n\nComprehensive, Consolidated Mobile Device Policy\nFederal guidelines acknowledge that developing a mobile device policy is a critical task an\nAgency should perform before it begins using mobile devices. 12 A mobile device security policy\nshould define which types of organizational information can be accessed via mobile devices,\nwhich types of mobile devices are permitted to access the organizational information, and how\nmuch access mobile devices may have. 13 Furthermore, the Mobile Work Exchange recommends\nagencies have clearly written policies that provide workers the guidance to use mobile devices\nsafely. 14\n\nSSA did not have a comprehensive, consolidated mobile device policy. SSA staff stated mobile\ndevices were covered under the Agency\xe2\x80\x99s information technology policies. However, these\npolicies did not define the types of Agency information accessible by mobile devices, the types\nof mobile devices permitted to access agency information, or access level by mobile device\nusers. It is important that SSA define these levels of access, as it allows the Agency to limit the\nrisk it incurs by permitting the most-controlled devices to have the most access and the least-\ncontrolled devices to have only minimal access.\n\nAdditionally, without clear guidance, employees may not know which policies apply to mobile\ndevices. Although about half of the 17 mobile device users we interviewed stated the devices\nshould only be used for official Government business, none could identify existing information\ntechnology policies that applied to mobile devices. We believe this is because SSA\ninconsistently categorized mobile devices in multiple Agency policies. 15 We believe SSA should\ndevelop a comprehensive, consolidated mobile device policy that, at a minimum, includes a\ndefinition of mobile devices and uses consistent terminology. 16\n\n\n\n\n12\n  NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise,\nJune 2013, p. 10.\n13\n     Id.\n14\n   The Mobile Work Exchange is a public-private partnership focused on demonstrating the value of mobility and\ntelework and serving the emerging educational and communication requirements of the Federal mobile/telework\ncommunity.\n15\n  In various policies, SSA categorized mobile devices as telecommunications equipment, personal property, and\noffice equipment. Additionally, the policies used different terminology (for example, they used the terms cell\nphone, Blackberry, or mobile computing device).\n16\n     Since the Agency has different brands of mobile devices, we recommend that policy not be brand-specific.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                           3\n\x0cMobile Device Configuration\nA baseline configuration is a documented set of specifications and provides device-specific\nsettings. These settings are intended to mitigate certain risks with mobile devices.\n\n\xef\x82\x98      Third-Party Applications. There are Websites that provide third-party applications to\n       download onto a mobile device. 17 These applications could contain malicious code. 18\n       Federal standards recommend that organizations view unknown third-party mobile device\n       applications as untrustworthy. 19\n\n\xef\x82\x98      Location Services. Location services map devices\xe2\x80\x99 physical locations. Mobile devices with\n       location services enabled are at increased risk of targeted attacks. It is easier for attackers to\n       determine where the user and the mobile device are and correlate information about other\n       sources with whom the user associates and the kinds of activities they perform in particular\n       locations.\n\n\xef\x82\x98      Authentication. Authentication, such as requiring a passcode before accessing the mobile\n       device, can mitigate risk. If the device does not require authentication, unauthorized users\n       could access Agency data that may be stored on, or accessed by, the mobile device.\n       Agencies should consider requiring that employees establish passcodes on mobile devices.\n\n\xef\x82\x98      Automatic Wipe. Devices should automatically wipe after unsuccessful attempts to unlock\n       them. 20 Configuring a mobile device to wipe itself after a specified number of failed attempts\n       at entering a passcode will erase the data and reinitialize the settings to factory defaults.\n\n\xef\x82\x98      Locked Security Settings. If users can circumvent mobile devices\xe2\x80\x99 established security\n       settings, they may leave the device exposed to vulnerabilities and weaknesses that attackers\n       could exploit.21 Agencies should assume mobile devices are untrusted unless properly\n       secured and monitored. 22\n\n\n\n\n17\n     A third-party application is software provided by someone other than the manufacturer of the device.\n18\n   There is malicious software online, most of which looks like legitimate applications. One example is a fake\nstorefront for applications that lure users into downloading malicious software. Some malicious software can allow\nattackers to seize complete control of a mobile device. Last year, there was a steady growth in malicious mobile\nsoftware.\n19\n  NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise,\nJune 2013, p. 5.\n20\n     Id. at p. 9.\n21\n     Some users may bypass operating system lockout features to install applications (known as jailbreaking).\n22\n  NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise,\nJune 2013, p. 4.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                           4\n\x0cBlackberry Devices\nSSA centrally manages the Blackberry devices that connect to its network. Through this system,\nSSA can erase the data and restore the device to factory settings if a Blackberry smartphone is\nlost or stolen. 23\n\nSSA\xe2\x80\x99s baseline Blackberry configuration disables users\xe2\x80\x99 ability to download third-party\napplications. Of the 4,393 Blackberry mobile devices SSA was managing as of June 2014,\n4,097 should have had SSA\xe2\x80\x99s baseline configuration. 24 However, we found that 1,234 (about\n30 percent) did not. As a result, the devices permitted users to download third-party\napplications. In addition, the baseline configuration did not disable location services. SSA\npersonnel informed us they are working to change the configuration for these Blackberry devices\nand expect to complete these changes by the end of Calendar Year 2014.\n\nNon-Blackberry Devices\nAccording to SSA\xe2\x80\x99s inventory system, the Agency had approximately 251 non-Blackberry\nmobile devices\xe2\x80\x94such as smartphones, tablets, and feature cellular telephones 25 \xe2\x80\x94in service as of\nSeptember 2013. 26 SSA did not have baseline configurations for these mobile devices and could\nnot centrally enforce security controls on them. In addition, SSA could not remotely wipe\nnon-Blackberry mobile devices if they are lost or stolen. We tested 10 non-Blackberry devices\nand found the following.\n\n\xef\x82\x98    None of the devices had passcodes.\n\xef\x82\x98    Only 2 of the 10 devices automatically locked after they were idle for a period.\n\xef\x82\x98    None of the devices was configured to wipe data after a certain number of incorrect password\n     attempts.\n\xef\x82\x98    One smartphone had a number of third-party applications.\n\xef\x82\x98    Location services were not disabled on two feature cellular telephones.\n\xef\x82\x98    All the feature cellular telephones allowed users to circumvent security features.\n\xef\x82\x98    SSA did not review and configure device settings on eight mobile devices.\n\n\n\n23\n  We did not review the centralized Blackberry management process and therefore cannot conclude on its\neffectiveness.\n24\n  The Office of the Inspector General (OIG) had a customized, SSA-approved configuration in use on\n296 Blackberry devices. We excluded the OIG from our formal analysis since it is an independent organization\nwithin the Agency.\n25\n   A feature telephone is a cellular telephone with functions above voice calling. For our review, the selected feature\ntelephones had Bluetooth capability and the ability to access the Internet.\n26\n The mobile devices had at least one wireless network interface, built-in data storage, and an operating system that\nwas not a full-fledged desktop or laptop operating system.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                               5\n\x0cWhile the number of non-Blackberry mobile devices is small compared to the number of\nBlackberry devices, we believe the number of non-Blackberry mobile devices in use at SSA will\nlikely increase. 27 To ensure adequate security and mitigate risks, we believe SSA should develop\nstandard security configuration guides for each type of mobile device the Agency uses.\n\nSSA\xe2\x80\x99s Office of Systems, as the primary purchaser of Blackberry smartphones for the Agency,\ndistributed the devices throughout SSA and centrally managed them. However, any component\nin the Agency could purchase mobile devices (including Blackberry and non-Blackberry\ndevices). By permitting this decentralized procurement, the Agency relied on non-technical staff\nto configure mobile devices procured outside the Office of Systems. 28 When components\nprocure and deploy mobile devices without the Office of Systems\xe2\x80\x99 knowledge or involvement,\nthey could introduce security risks. The unsupported hard- and software were not subject to the\nsame security measures applied to the technologies the Office of Systems supported.\n\nInformation Security Awareness Training\nSSA\xe2\x80\x99s mandatory, annual information security awareness training includes minimal training for\nmobile devices. To enhance security, the Agency may not be able to enforce directly, SSA\nshould educate mobile device users on the importance of specific mobile device security\nmeasures. Additionally, SSA should define in policy and mobile device agreements users\xe2\x80\x99\nresponsibilities for implementing these measures. Rules of behavior specific to mobile devices\nwould strengthen employee awareness of appropriate usage. 29\n\nCONCLUSIONS\nWe determined that SSA\xe2\x80\x99s mobile device security did not always conform with Federal\nstandards and business best practices to mitigate unauthorized access to the Agency\xe2\x80\x99s sensitive\ninformation. Specifically, SSA did not have a comprehensive, consolidated mobile device policy\nor secure all mobile devices, and provided minimal mobile device security training.\n\n\n\n\n27\n     SSA has purchased over half of its tablets in the last 2 years.\n28\n  SSA has decentralized procurement for mobile devices with decentralized responsibility for the security of those\ndevices. SSA does not restrict the types of mobile devices components can procure.\n29\n  Other Federal agencies \xe2\x80\x93 including the Federal Emergency Management Agency, Transportation Security\nAdministration, and U.S. Coast Guard \xe2\x80\x93 have developed specific rules of behavior for mobile devices, and provided\nspecific training on acceptable use of mobile devices in addition to general information technology security\nawareness.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                               6\n\x0cRECOMMENDATIONS\nWe recommend the Agency:\n\n1. Develop a comprehensive, consolidated mobile device policy.\n\n2. Develop and apply standard security configurations for all Agency-issued mobile devices.\n\n3. Enhance annual information technology security awareness training to remind individuals\n   who use mobile devices of their responsibilities, acceptable behavior, and specific risks when\n   using Agency-issued mobile devices.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. See Appendix B for the full text of the Agency\xe2\x80\x99s\ncomments.\n\nOTHER MATTERS\nTo conduct our review, we relied on a mobile device inventory from SSA. During our\nassessment of the inventory\xe2\x80\x99s reliability, we found that SSA\xe2\x80\x99s Sunflower Assets Property System\ncontained inaccurate and incomplete information. 30\n\nSSA policy requires that staff enter sensitive items into the Agency\xe2\x80\x99s property management\nsystem. 31 The policy specifically identifies cellular telephones and Blackberry smartphones.\nAdditionally, Agency policy requires that custodial officers inventory sensitive property every\n3 years. 32 Finally, SSA policy includes a list of sensitive items to be inventoried. This list is\nspecific in brand (Blackberry) and only includes cellular telephones and laptops. SSA does not\nrequire that staff inventory all types of mobile devices.\n\nWe obtained Blackberry data from SSA\xe2\x80\x99s Sunflower Assets Property System as well as the\nAgency\xe2\x80\x99s Blackberry Enterprise System.\n\n\n\n\n30\n  While the data were incomplete and inaccurate, we found them to be sufficiently reliable for the limited purposes\nof this review. We did not perform further analysis of the inventory discrepancies as we plan to review the\ninformation technology inventory process in the future.\n31\n  SSA, Administrative Instructions Manual System, M0404 Material Resources, Chapter 04 Property Management,\nInstruction Number 04 Physical Inventory of Personal Property, \xc2\xa704.04.02B.\n32\n     Id. at \xc2\xa704.04.05B.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                                7\n\x0c                         Table 1: Blackberry Devices Reported in Service\n                                                                             Blackberry Devices\n                                   System\n                                                                            Reported as in Service\n       Sunflower Asset Management System (September 2013)                          6,615\n           Blackberry Enterprise System (February 2014)                            4,273\n\nWe compared the data in the two systems using the devices\xe2\x80\x99 serial numbers. We found that only\n1,023 of the Blackberry devices recorded in Sunflower as \xe2\x80\x9cin service\xe2\x80\x9d as of September 2013\nwere actually connected to SSA\xe2\x80\x99s network as of February 2014. Therefore, it appears that\n\n\xef\x82\x98    just over 5,000 Blackberry devices that had actually been taken out of service were\n     incorrectly reported as in service in Sunflower, and\n\n\xef\x82\x98    more than 3,000 Blackberry devices were actually in service but may not have been properly\n     recorded in Sunflower. 33\n\n\n\n\n33\n   We compared data from the two systems using the devices\xe2\x80\x99 serial numbers. The serial number was not included\nin the data we obtained from the Blackberry Enterprise System for 110 devices; therefore, we were unable to\ndetermine whether the devices were included in Sunflower.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                           8\n\x0c                                         APPENDICES\n\n\n\n\nMobile Device Security (A-14-14-14051)\n\x0cAppendix A \xe2\x80\x93 SCOPE AND METHODOLOGY\nOur objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA) mobile\ndevice security conformed with Federal standards and business best practices to mitigate\nunauthorized access to the Agency\xe2\x80\x99s sensitive information.\n\nTo accomplish the audit objective we:\n\n\xef\x82\x98   Reviewed applicable Federal guidelines, and standards.\n\n\xef\x82\x98   Reviewed the Chief Information Officers Council and Department of Homeland Security\xe2\x80\x99s,\n    Mobile Security Reference Architecture, and Mobile Computing Decision Framework.\n\n\xef\x82\x98   Reviewed SSA policy and the Information Systems Security Handbook.\n\n\xef\x82\x98   Interviewed SSA subject matter experts including mobile device support staff, custodial\n    officers, and owners of the sampled mobile devices.\n\n\xef\x82\x98   Tested 17 mobile devices and interviewed the users.\n\n\xef\x82\x98   Analyzed Blackberry Enterprise policy data.\n\nWe obtained a sufficient understanding of information systems controls as they related to this\nreview. We assessed the completeness, accuracy, and validity of the data from the asset\nmanagement software. Through our testing, we found that key data elements of the asset\nmanagement system were inconsistent, inaccurate, and possibly incomplete. Despite these\nlimitations, we believe SSA\xe2\x80\x99s asset management system data were sufficiently reliable for the\nlimited use of sampling mobile devices in the Agency.\n\nWe conducted our work from September 2013 through May 2014 in Baltimore, Maryland. The\nentities reviewed were the Offices of Budget, Finance, Quality and Management; Disability\nAdjudication and Review; Human Resources; Operations; and Systems. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve the evidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objectives.\n\n\n\n\nMobile Device Security (A-14-14-14051)                                                           A-1\n\x0cScope of the Review\nThe scope of the review was the confidentiality of Agency data. 1 For our review, we considered\na mobile device to be hand-held and to have\n\n1. at least one wireless network interface for network access;\n\n2. built-in data storage; and\n\n3. an operating system that is not a full-fledged desktop or laptop operating system.\n\nThis included smartphones, tablets, and feature cellular telephones. We did not include\nnon-feature cellular telephones, laptops, or portable mass storage devices in our review.\n\nBlackberry Mobile Device Sample\nWe selected 50 Blackberry mobile devices from SSA\xe2\x80\x99s property management system. Of the\n50 \xe2\x80\x9cin service\xe2\x80\x9d Blackberry mobile devices we sampled, 45 were no longer in use. Because of the\ninaccuracy of SSA\xe2\x80\x99s Sunflower Assets Property system, we could physically test only seven\nBlackberry mobile devices. 2 We tested a subset of the mobile devices\xe2\x80\x99 controls basing our tests\non National Institute of Standards and Technology (NIST) Special Publication (SP)\n800-53 Recommended Security Controls for Federal Information Systems and Organizations,\nNIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise and\nthe Chief Information Officers Council\xe2\x80\x99s Mobile Security Reference Architecture. This testing\nprovided assurance that the data from the Blackberry management software accurately reflected\nthe configuration on the mobile device.\n\nUsing the data from the Agency\xe2\x80\x99s Blackberry management software, we reviewed the\nconfiguration for all Blackberry mobile devices registered. SSA\xe2\x80\x99s Blackberry management\nsoftware registered about 4,100 Blackberry mobile devices in service as of May 2014 that were\napplicable to our review.\n\n\n\n\n1\n  NIST SP 800-124 (page 3). According to NIST, confidentiality is ensuring transmitted and stored data cannot be\nread by unauthorized parties.\n2\n We tested four of the five remaining sampled Blackberry mobile devices. We also tested replacement devices for\n3 of the 45 employees whose inventoried device was no longer in use.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                        A-2\n\x0cNon-Blackberry Mobile Device Sample\nThe population from which we sampled included Agency-inventoried, non-Blackberry mobile\ndevices within the scope of this review. SSA\xe2\x80\x99s asset management software had\n251 non-Blackberry mobile devices in service as of September 2013 that were applicable to our\nreview. We categorized the mobile devices into one of the following: non-Blackberry\nsmartphones; feature cellular telephones (have Internet access or Bluetooth capability); and\ntablet computers.\n\n                   Table A\xe2\x80\x931: SSA Mobile Device Inventory as of September 2013 3\n                              Device                                   Count                  Tested\n             Non-Blackberry Smartphones                                   56                     3\n             Feature Cellular Telephones 4                               173                     3\n             Tablet Computers                                             22                     4\n                                TOTAL                                    251                     10\n\nWe tested 10 non-Blackberry mobile devices. We tested a subset of the mobile devices\xe2\x80\x99 controls\nbasing our tests on NIST SP 800-53 Recommended Security Controls for Federal Information\nSystems and Organizations, NIST SP 800-124 Guidelines for Managing the Security of Mobile\nDevices in the Enterprise and the Chief Information Officers Council\xe2\x80\x99s Mobile Security\nReference Architecture.\n\n\n\n\n3\n    This inventory did not include mobile devices in the OIG.\n4\n  A feature telephone is a cellular telephone with functions above voice calling. For our review, the selected feature\ntelephones had Bluetooth capability and the ability to access the Internet.\n\n\n\nMobile Device Security (A-14-14-14051)                                                                             A-3\n\x0c           Appendix B \xe2\x80\x93 AGENCY COMMENTS\n\n\n\n\n                                            SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      August 29, 2014                                                         Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      James A. Kissko /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cMobile Device Security\xe2\x80\x9d (A-14-14-14051) -\n           INFORMATION\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Gary S. Hatcher at (410) 965-0680.\n\n           Attachment\n\n\n\n\n           Mobile Device Security (A-14-14-14051)                                                        B-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cMOBILE DEVICE SECURITY\xe2\x80\x9d (A-14-14-14051)\n\n\nRecommendation 1\n\nDevelop a comprehensive, consolidated mobile device policy.\n\nResponse\n\nWe agree. While we believe that we address many aspects of mobile device security in various\nsections of our Information Systems Security Handbook, we will review the relevant sections to\ndetermine how best to present this information in a consolidated format. We plan to complete\nour review no later than December 2014.\n\nRecommendation 2\n\nDevelop and apply standard security configurations for all Agency-issued mobile devices.\n\nResponse\n\nWe agree. We anticipate completing the development of standard security configurations for all\nagency-issued mobile devices by December 31, 2014. As for non-network mobile devices\n(i.e., those devices purchased with agency funds, but which are un-managed and restricted from\nconnecting to our network), there are inherent technical limitations. Developing standard\nsecurity configuration baselines for non-network mobile devices would be cost-prohibitive, and\nultimately ineffective because these devices cannot connect to the network to deploy a baseline\nconfiguration. We plan to develop guidance for agency purchasers of non-network mobile\ndevices to assist in configuring these devices with minimum mobile safeguards as recommended.\nWe anticipate starting the development of this guidance in September 2014.\n\nRecommendation 3\n\nEnhance annual information technology security awareness training to remind individuals who\nuse mobile devices of their responsibilities, acceptable behavior, and specific risks when using\nAgency-issued mobile devices.\n\nResponse\n\nWe agree. We recently released our annual security and awareness training for fiscal year\n(FY) 2014. We will incorporate mobile device security training in our annual awareness training\nfor FY 2015.\n\n\n\n\nMobile Device Security (A-14-14-14051)                                                         B-2\n\x0cAppendix C \xe2\x80\x93 MAJOR CONTRIBUTORS\nJeffrey Brown, Director\n\nMary Ellen Moyer, Audit Manager\n\nJan Kowalewski, Auditor in Charge\n\n\n\n\nMobile Device Security (A-14-14-14051)   C-1\n\x0c                                           MISSION\nBy conducting independent and objective audits, evaluations, and investigations, the Office of\nthe Inspector General (OIG) inspires public confidence in the integrity and security of the Social\nSecurity Administration\xe2\x80\x99s (SSA) programs and operations and protects them against fraud,\nwaste, and abuse. We provide timely, useful, and reliable information and advice to\nAdministration officials, Congress, and the public.\n\n\n                                   CONNECT WITH US\nThe OIG Website (http://oig.ssa.gov/) gives you access to a wealth of information about OIG.\nOn our Website, you can report fraud as well as find the following.\n   \xe2\x80\xa2   OIG news                                  In addition, we provide these avenues of\n   \xe2\x80\xa2   audit reports\n                                                 communication through our social media\n                                                 channels.\n   \xe2\x80\xa2   investigative summaries\n   \xe2\x80\xa2   Semiannual Reports to Congress                Watch us on YouTube\n   \xe2\x80\xa2   fraud advisories                              Like us on Facebook\n   \xe2\x80\xa2   press releases\n                                                     Follow us on Twitter\n   \xe2\x80\xa2   congressional testimony\n   \xe2\x80\xa2   an interactive blog, \xe2\x80\x9cBeyond The              Subscribe to our RSS feeds or email updates\n       Numbers\xe2\x80\x9d where we welcome your\n       comments\n\n\n                          OBTAIN COPIES OF AUDIT REPORTS\nTo obtain copies of our reports, visit our Website at http://oig.ssa.gov/audits-and-\ninvestigations/audit-reports/all. For notification of newly released reports, sign up for e-updates\nat http://oig.ssa.gov/e-updates.\n\n\n                          REPORT FRAUD, WASTE, AND ABUSE\nTo report fraud, waste, and abuse, contact the Office of the Inspector General via\n   Website:        http://oig.ssa.gov/report-fraud-waste-or-abuse\n   Mail:           Social Security Fraud Hotline\n                   P.O. Box 17785\n                   Baltimore, Maryland 21235\n   FAX:            410-597-0118\n   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time\n   TTY:            1-866-501-2101 for the deaf or hard of hearing\n\x0c'